Moodle
  1. Moodle
  2. MDL-14624

mnet can't setup a peer when a proxy is in use.

    Details

    • Type: Improvement Improvement
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9, 2.0
    • Fix Version/s: 2.0.10
    • Component/s: MNet
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank:
      344

      Description

      The mnet code doesn't contain any checks for proxies. This is actually fairly easy to fix, as using curl through a proxy is used and (proven) in other places. It only requires the routine that scrapes the site title to use download_file_content() - which just works - and to modify the curl call that gets the SSO key to check for proxies - mainly by taking the code from the former function.

        Issue Links

          Activity

          Hide
          Howard Miller added a comment -

          Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.

          Show
          Howard Miller added a comment - Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.
          Hide
          Dan Poltawski added a comment -

          Hi Howard,

          I am just wondering if this works?

          My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)

          Show
          Dan Poltawski added a comment - Hi Howard, I am just wondering if this works? My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)
          Hide
          Howard Miller added a comment -

          A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though

          Show
          Howard Miller added a comment - A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though
          Hide
          Howard Miller added a comment -

          Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!

          Show
          Howard Miller added a comment - Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!
          Hide
          Petr Škoda added a comment -

          Please consider reverting this in MOODLE_19_STABLE - see MDL-14659

          Show
          Petr Škoda added a comment - Please consider reverting this in MOODLE_19_STABLE - see MDL-14659
          Hide
          Howard Miller added a comment -

          This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.

          Show
          Howard Miller added a comment - This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.
          Hide
          Howard Miller added a comment -

          Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659.

          Show
          Howard Miller added a comment - Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659 .
          Hide
          Howard Miller added a comment -

          Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.

          Show
          Howard Miller added a comment - Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.
          Hide
          Howard Miller added a comment -

          Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

          This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.

          Show
          Howard Miller added a comment - Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.
          Hide
          Penny Leach added a comment -

          Howard is this fixed?

          Show
          Penny Leach added a comment - Howard is this fixed?
          Hide
          Howard Miller added a comment -

          Hi Penny,

          My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks.

          Howard

          Show
          Howard Miller added a comment - Hi Penny, My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks. Howard
          Hide
          Penny Leach added a comment -

          ping?

          Show
          Penny Leach added a comment - ping?
          Hide
          Howard Miller added a comment -

          Pung, but moving house this week. Soon!!! Need longer days and less need for sleep

          Show
          Howard Miller added a comment - Pung, but moving house this week. Soon!!! Need longer days and less need for sleep
          Hide
          Penny Leach added a comment -

          ping again!

          (sorry to nag but it's my last moodle hq mnet week)

          Show
          Penny Leach added a comment - ping again! (sorry to nag but it's my last moodle hq mnet week)
          Hide
          Martin Dougiamas added a comment -

          Can I close this?

          Show
          Martin Dougiamas added a comment - Can I close this?
          Hide
          Penny Leach added a comment -

          Martin I think not - the comment from Howard which says:

          >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

          Makes me think it probably shouldn't be closed, and needs further testing.

          Show
          Penny Leach added a comment - Martin I think not - the comment from Howard which says: >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. Makes me think it probably shouldn't be closed, and needs further testing.
          Hide
          Howard Miller added a comment -

          Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy.

          Yes I know I should have done - hours/day issues again.

          Show
          Howard Miller added a comment - Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy. Yes I know I should have done - hours/day issues again.
          Hide
          Jan Kristoffer Roth added a comment -

          Affects Version 2.5.2 too.
          My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php)

          // check for proxy
          if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) {
          // SOCKS supported in PHP5 only
          if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) {
          if (defined('CURLPROXY_SOCKS5'))

          { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); }

          else

          { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); }

          }

          curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false);

          if (empty($CFG->proxyport))

          { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); }

          else

          { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); }

          if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) {
          curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword);
          if (defined('CURLOPT_PROXYAUTH'))

          { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); }

          }
          }

          Better Solution would be an single CURL Class (xmlrpc client) for all modules.

          BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

          Show
          Jan Kristoffer Roth added a comment - Affects Version 2.5.2 too. My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php) // check for proxy if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) { // SOCKS supported in PHP5 only if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) { if (defined('CURLPROXY_SOCKS5')) { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); } else { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); } } curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false); if (empty($CFG->proxyport)) { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); } else { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); } if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) { curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword); if (defined('CURLOPT_PROXYAUTH')) { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); } } } Better Solution would be an single CURL Class (xmlrpc client) for all modules. BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated: